type: object
properties:
  debugLogging:
    type: boolean
    default: false
    description: Enabled debug logging for Cilium components.
  labelsRegex:
    type: array
    description: |
      Cilium creates security identifiers based on the k8s entity labels. The more labels are involved in this process, the higher the access granularity that can be achieved.
      However, in large clusters, excessive granularity can create a heavy load. You can use the `labelsRegex` option to explicitly specify which labels are to be used for security policies,
      and which labels are to be neglected. Refer to the [documentation](https://docs.cilium.io/en/stable/operations/performance/scalability/identity-relevant-labels/#limiting-identity-relevant-labels) to learn more about reducing the identity cardinality

      Each label must be specified by a RegExp expression in YAML quoted string format. Note that special characters must be escaped.
    x-doc-examples:
      - ["k8s:!app\\.kubernetes\\.io", "k8s:io\\.cilium\\.k8s\\.policy"]
    items:
      type: string
  createNodeRoutes:
    type: boolean
    description: |
      Create routes to Pods on other Nodes.

      All Nodes must be located in the same L2 domain.
  tunnelMode:
    type: string
    enum: ["Disabled", "VXLAN"]
    default: "Disabled"
    description: |
      Tunnel mode.

      > Note! After changing the parameter, it is necessary to restart all nodes, otherwise, there may be problems with the availability of Pods!

      > Note! VXLAN mode is not compatible with following bpfLBMode modes: Hybrid, DSR. bpfLBMode will be overriden to SNAT if the tunnelMode is VXLAN.
  svcSourceRangeCheck:
    type: boolean
    default: false
    description: |
      For services of the `loadBalancer` type, enables checking the source IP for compliance with [loadBalancer.sourceRanges](../402-ingress-nginx/cr.html#ingressnginxcontroller-v1-spec-loadbalancer-sourceranges).
      The check is not performed if access is made from within the cluster or the `sourceRanges` parameter is empty/not specified.
      Some cloud providers support filtering of incoming traffic based on the `sourceRanges` parameter in their loadBalancer implementations. In such cases, the [cilium documentation](https://docs.cilium.io/en/stable/network/kubernetes/kubeproxy-free/#loadbalancer-source-ranges-checks)
      recommends disabling the `svcSourceRangeCheck` option.

      Do not enable if another balancer or any type of SNAT is running in front of the services.
  policyAuditMode:
    type: boolean
    default: false
    description: |
      Do not enforce any Network Policy. Just log allowed/disallowed connections.
  bpfLBMode:
    type: string
    default: "Hybrid"
    enum: ["SNAT", "Hybrid", "DSR"]
    description: |
      eBPF LoadBalancer mode:
      - `SNAT` - traffic from the client to the pod (and back) passes through NAT, and accordingly the sender's address is lost.
      - `DSR` - traffic from the client to the pod passes with the sender's address preserved, and back - according to the routing rules (bypassing the balancer). This mode saves network traffic and reduces delays, but only works for TCP traffic.
      - `Hybrid` - TCP traffic is processed in DSR mode, and UDP traffic is processed in SNAT mode.

  resourcesManagement:
    description: |
      Settings for CPU and memory requests and limits by cilium agent pods.
    default: {}
    oneOf:
    - properties:
        mode:
          enum: [ "VPA" ]
        vpa: {}
    - properties:
        mode:
          enum: [ "Static" ]
        static: {}
    x-examples:
    - mode: VPA
      vpa:
        mode: Auto
        cpu:
          min: "50m"
          max: 2
          limitRatio: 1.5
        memory:
          min: "256Mi"
          max: "2Gi"
          limitRatio: 1.5
    - mode: Static
      static:
        requests:
          cpu: "55m"
          memory: "256Mi"
        limits:
          cpu: 2
          memory: "2Gi"
    properties:
      mode:
        type: string
        description: |
          Resource management mode:
          - `Static` is a classic one. In it, you specify requests/limits. The parameters of this mode are defined in the [static](#parameters-resourcesmanagement-static) parameter section;
          - `VPA` mode uses [VPA](https://github.com/kubernetes/design-proposals-archive/blob/main/autoscaling/vertical-pod-autoscaler.md). You can configure this mode by modifying parameters in the [vpa](#parameters-resourcesmanagement-vpa) parameter section.
        enum: ['VPA', 'Static']
        default: 'VPA'
      vpa:
        type: object
        default: {}
        description: |
          Resource management options for the `VPA` mode.
        properties:
          mode:
            type: string
            description: |
              VPA operating mode.
            enum: ['Initial', 'Auto']
            default: 'Initial'
          cpu:
            type: object
            default: {}
            description: |
              CPU-related VPA settings.
            properties:
              max:
                description: |
                  The maximum value that the VPA can set for the CPU requests.
                default: 4
                oneOf:
                - type: string
                  pattern: "^[0-9]+m?$"
                - type: number
              min:
                description: |
                  The minimum value that the VPA can set for the CPU requests.
                default: '100m'
                oneOf:
                - type: string
                  pattern: "^[0-9]+m?$"
                - type: number
              limitRatio:
                type: number
                examples: [1.5]
                description: |
                  The CPU limits/requests ratio.

                  This ratio is used for calculating the initial CPU limits for a pod.

                  If this parameter is set, the VPA will recalculate the CPU limits while maintaining the specified limits/requests ratio.
          memory:
            type: object
            default: {}
            description: |
              Memory-related VPA settings.
            properties:
              max:
                description: |
                  The maximum memory requests the VPA can set.
                default: '4Gi'
                oneOf:
                - type: string
                  pattern: '^[0-9]+(\.[0-9]+)?(E|P|T|G|M|k|Ei|Pi|Ti|Gi|Mi|Ki)?$'
                - type: number
              min:
                description: |
                  The minimum memory requests the VPA can set.
                default: '128Mi'
                oneOf:
                - type: string
                  pattern: '^[0-9]+(\.[0-9]+)?(E|P|T|G|M|k|Ei|Pi|Ti|Gi|Mi|Ki)?$'
                - type: number
              limitRatio:
                type: number
                examples: [1.5]
                description: |
                  The memory limits/requests ratio.

                  This ratio is used for calculating the initial memory limits for a pod.

                  If this parameter is set, the VPA will recalculate the memory limits while maintaining the specified limits/requests ratio.
      static:
        type: object
        description: |
          Resource management options for the `Static` mode.
        properties:
          requests:
            type: object
            description: |
              Resource requests settings for pods.
            properties:
              cpu:
                oneOf:
                - type: string
                  pattern: "^[0-9]+m?$"
                - type: number
                description: |
                  Configuring CPU requests.
              memory:
                oneOf:
                - type: string
                  pattern: '^[0-9]+(\.[0-9]+)?(E|P|T|G|M|k|Ei|Pi|Ti|Gi|Mi|Ki)?$'
                - type: number
                description: |
                  Configuring memory requests.
          limits:
            type: object
            description: |
              Configuring CPU and memory limits.
            properties:
              cpu:
                oneOf:
                - type: string
                  pattern: "^[0-9]+m?$"
                - type: number
                description: |
                  Configuring CPU limits.
              memory:
                oneOf:
                - type: string
                  pattern: '^[0-9]+(\.[0-9]+)?(E|P|T|G|M|k|Ei|Pi|Ti|Gi|Mi|Ki)?$'
                - type: number
                description: |
                  Configuring memory limits.
